BetterDocs WordPress Plugin Missing Authorization Vulnerability Allowing Unauthorized OpenAI API Usage

A vulnerability exists in the BetterDocs plugin for WordPress, specifically in versions through 4.3.11. The issue stems from a missing authorization check in the 'generate_openai_content_callback()' function, which relies only on a nonce for verification. This flaw enables authenticated attackers with subscriber-level access or higher to make OpenAI API calls using the site's API key, with prompts controlled by the user. As a result, this could lead to unauthorized use of the site owner's paid AI API quota.

Impact

Exploitation of this vulnerability could result in unauthorized consumption of the site's OpenAI API quota, potentially leading to unexpected charges for the site owner.

Reproduction

To reproduce this vulnerability, an authenticated user with a role of subscriber or higher can send a request to the WordPress REST API endpoint '/betterdocs/v1/create-sample-docs' without the necessary capability to authorize the action. The request must include a valid nonce for the 'generate_openai_content_nonce' action, which can be obtained from the WordPress admin area.

Remediation

Users can update the BetterDocs plugin to version 4.3.12 or later, where this vulnerability has been addressed.